7

I have a network share folder that I was recently cleaning up permissions to. I took off the four individual names from the access permissions to the folder, and added a new security group (Universal) with standard Read/Write permissions to that folder, then added those 4 people to the group.

However... now nobody can see the folder. The users can see the other 9 folders in that shared drive, but the 10th is missing. I cannot see any security permission in the parent folder or in the folder itself which would cause it to be invisible to anyone, regardless of whether they have permission to open it or edit files within.

Edit: The file server (unlike the Exchange and DC) is Server 2008. Apologies for the incorrect information previously, I had not actually remoted into the file server directly before. However, for the share in question Access Based Enumeration is disabled.

Edit 2: As noted in a comment below, ABE was enabled. Confusingly, someone set up the shared area for the site using nested shares... \server\share\shareA\folders. While 'share' did not have ABE enabled, 'shareA' did. My lack of in-depth knowledge of the configuration delayed accurate diagnosis of the issue.

Myrddin Emrys
  • 636
  • 2
  • 10
  • 24
  • 1
    Is the share name suffixed with a dollar? That would hide it from Windows Explorer views. – Ben Pilbrow Nov 23 '11 at 23:26
  • @Ben The share name is not; in addition, this is a folder inside the share. \\server\share\folder8. Even were the share invisible, I need to know why folder1, folder2, folder3, etc are visible but folder8 is not. – Myrddin Emrys Nov 23 '11 at 23:36
  • 1
    That might be Access Based Enumeration (see my answer). If it is, just logoff/logon like jer.salamon says and it should be fine. – Ben Pilbrow Nov 23 '11 at 23:42

3 Answers3

10

You may be encountering Access Based Enumeration. Basically, if your user account does not have read permission on a directory, it is hidden from view.

As already mentioned, this is because you removed the users explicitly defined access and replaced it with a group, and the affected users logon tokens do not include the new group they are a member of. A simple logoff/logon should refresh the logon token to include this new group and make the directory visible in Windows Explorer.

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
  • I considered ABE as well, but it's a manual process to enable and apply it in W2K3, unlike in W2K8... so I'm a little sketptical of ABE being the cause of the problem here. I'm curious to see what the resolution turns out to be. – joeqwerty Nov 24 '11 at 00:27
  • Since this sounds exactly like ABE, how can I tell if ABE is enabled on a share? I should mention that I'm a junior admin here, and this server has existed long before I arrived. There are many settings on individual servers and shares that I am completely unaware of. – Myrddin Emrys Nov 24 '11 at 02:31
  • Nevermind. I remoted into the file server directly, and it turns out that it is Server 2008 (oopsie), but that ABE is disabled for the share in question. Can ABE be enabled on a subfolder, rather than a share? – Myrddin Emrys Nov 24 '11 at 02:46
  • No. ABE is enabled on the share, not on the folders within the share. ABE effects access to the folders in the share (by hiding folders that the user doesn't have permissions on). ABE is enabled by default when sharing a folder from Windows Explorer but is not enabled by default when sharing a folder using the Share and Storage Management console. – joeqwerty Nov 24 '11 at 03:29
  • And I was wrong AGAIN. Hilarity ensues. The cause was ABE. One share contained a shortcut to another share; when I looked at the properties of the primary Share, ABE was not enabled. But on the share it linked to, it was. In addition, logging out and back in successfully fixed the visibility issue. Answer accepted. – Myrddin Emrys Nov 25 '11 at 20:33
5

For the permissions to the group to take effect you need to have them log off and log back in. If you haven't done this they will be unable to view the folder because their account is not linked to the group yet.

jer.salamon
  • 449
  • 4
  • 12
  • Sadly the user had to leave, so I cannot test this solution now. I will let you know if this worked on Friday. – Myrddin Emrys Nov 23 '11 at 23:39
  • 1
    Their user account is a member of the group, but their tokens for the current login won't reflect that group membership. – MDMarra Nov 23 '11 at 23:58
4

Have the users relogin to the workstation. This will update their token with the new group membership.

Jim B
  • 24,081
  • 4
  • 36
  • 60